How to extract a field using regex at indexing tim...

kiran331 · ‎10-16-2017

Hi,

I'm ingesting the data in JSON format. we have a field event.user, which is auto extracted. is there a way to extract the new field user from event.user filed at indexing time?

for example:

event.user :
kiran331@SPl,
splunk@ADDS

I need to extract:

user:
kiran331
splunk

kunalmao · ‎10-17-2017

props.conf at your indexer
[]
REGEX =
FORMAT = ::$1
WRITE_META = [true|false]
DEST_KEY =
DEFAULT_VALUE =
SOURCE_KEY =
REPEAT_MATCH = [true|false]
LOOKAHEAD =

and then bind it to transforms.conf at your indexer

[]
TRANSFORMS- =

for more details you can refer

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Configureindex-timefieldextraction

kunalmao · ‎10-17-2017

it removed everything in brackets 😞

mtulett_splunk · ‎11-20-2017

You should be able to edit your answer to update the text. When writing code, put four spaces before each line to convert the text into a code block - this prevents your text from being modified automatically.

ddrillic · ‎10-16-2017

The following is great - Create custom fields at index time

How to extract a field using regex at indexing time?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...